'Heartbleed' bug puts encrypted data in danger

Computer security specialists on Tuesday raised alarm about a freshly discovered bug in online data-scrambling software that hackers can turn to their advantage.

The bug dubbed "Heartbleed" in OpenSSL encryption software lets attackers illicitly retrieve passwords and other bits of information from working memory on computer servers, according to cyber-defense specialists at Fox-IT.

OpenSSL is used to protect passwords, credit card numbers and other data coursing through the Internet.

"There is no limit on the number of attacks that can be performed," Fox-IT said in a blog post that listed steps business IT handlers can take to thwart incursions.

Information considered at risk includes source codes, passwords, and "keys" that could be used to impersonate websites or unlock encrypted data.

"These are the crown jewels, the encryption keys themselves," said a heartbleed.com website devoted to details of the vulnerability.

"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."

Security researchers reported being able to dig out Yahoo password information by taking advantage of the bug. Yahoo released a statement Tuesday saying it had fixed the problem at its main online properties.

Fox-IT estimated that the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

OpenSSL is used by more than half of websites, but not all versions have the vulnerability, according to heartbleed.com.

The group behind open-source OpenSSL put out a security alert urging users to upgrade to an improved version of the software and gave credit for finding the bug to Neel Mehta of Google Security.

A blog post at the Tor Project website advised those with strong privacy needs to avoid the Internet for a few days at least to give websites and servers time to improve defenses and reset security credentials.